Google has revealed vulnerability in Internet Explorer and Edge and Microsoft has still not released any update to fix it. This leak could allow an attacker at worst arbitrary code on the system, such as installing malware.
Nevertheless, the case is currently somewhat different with the warnings of Google’s project Zero. Microsoft should be terribly annoyed with the behavior of its competitor, Google. Because of the failed Patch-Day in February, Microsoft could not patch some security holes, although the bug fixes are already finished. In Redmond, for example, it would have been desirable for Google to refrain from “tweaking” the vulnerabilities until the next regular updates are released.
The sample attack that Google has put online ensures that the browser crashes alone. Microsoft was briefed by Google on the leak on 25 November. By default, Google uses a deadline of 90 days, after which it is made about the vulnerability public, regardless of whether the supplier in question has already rolled out an update to fix the problem. Possible that Microsoft was planning to patch the vulnerability in the Patch Tuesday in February, but the software giant decided to postpone all security updates this month and move it to Tuesday March 14th.
How does this vulnerability risk our system
This vulnerability could allow hackers to execute arbitrary code remotely on our systems. This issue is a vulnerability that allows attackers to crash Internet Explorer and also to manipulate memory. The developer Ivan Fratric from the Google Project Zero has a proof of concept available, which suggests that an attacker can gain theoretical rights on the affected systems by utilizing the vulnerability. It is currently unknown whether the security gap has already been exploited or not.
According to Fratric, he could reveal the error in the 64-bit version with Internet Explorer and Windows Server 2012 R2. However, he also assumes that the problem also affects the 32-bit version and that besides the Internet Explorer 11 the Microsoft Edge is also vulnerable. This would mean that all versions are affected upwards from Windows 7. So users of Windows 8.1 and Windows 10 users area at risk.
Fratric has submitted his discovery to Microsoft on November 25th. Since the company has not delivered a patch until February 25, the vulnerability has now been released.
Risk Based Security director Carsten Eiram said:
“There are no exploits available, but a proof of concept demonstrating the problem. This proof of concept can provide a good starting point for anyone who wants to develop a functional exploit. Google Project Zero even includes some comments on how to possibly achieve code execution.”
The Risk Based Security researchers based on the danger to our systems have rated this vulnerability 6.8 on the threat scale. It is still unclear when Microsoft updates the browsers, there are no official statements made by the company. I think that we might have to wait for Tuesday, March 14 for Microsoft to release all the security patches for its applications.